Skip to content

[BUG] e2e Phase 6 PG-parity: test_ac1_* error at setup — _enable_dependency_map hits /admin/config without TOTP elevation (303) #1324

Description

@jsbattig

Summary

e2e Phase 6 (PostgreSQL parity), tests/e2e/pg_parity/test_02_pg_coordination_backends_1137.py: the two test_ac1_* tests ERROR at setup because the _enable_dependency_map fixture drives the Web-UI config front door (GET /admin/config) with an authenticated-but-unelevated session, which the server redirects (303 -> /login). The local _fetch_csrf helper calls raise_for_status() on that redirect and throws, aborting fixture setup.

Affected:

  • test_ac1_pg_dep_map_sentinel_conflict (ERROR at setup)
  • test_ac1_pg_release_then_accept_single_active_job (ERROR at setup)

Passing in the same file: test_ac2_* (do not call _enable_dependency_map, so never touch /admin/config) and all of test_01_pg_functional.py (including test_pg_login).

Error

httpx.HTTPStatusError: Redirect response '303 See Other' for url 'http://127.0.0.1:8901/admin/config'
Redirect location: '/login?redirect_to=/admin/config'

Raised from _enable_dependency_map -> form_csrf = _fetch_csrf(web, WEB_CONFIG) or login_csrf (WEB_CONFIG = /admin/config).

Root cause (proven, not hypothesized)

  1. Login succeeds — the fixture's POST /login returns a redirect and the assertion assert "session" in web.cookies passes, so a session cookie IS established.
  2. Cookie is transmitted — Phase 6 writes config.json with "host": "127.0.0.1" (e2e-automation.sh), and should_use_secure_cookies(config) returns False for 127.0.0.1/localhost/::1 (tests/unit/server/web/test_cookie_security.py). So the session cookie is NON-Secure and is sent over the plain-HTTP 127.0.0.1 connection. (The "Secure cookie not sent over HTTP" theory is therefore refuted.)
  3. The server RECEIVES the session cookie on GET /admin/config and STILL redirects to /login. Conclusion: /admin/config requires TOTP step-up elevation (Epic [EPIC] Epic: Admin TOTP Step-Up Elevation #922 / Story [STORY] CLI remote mode: TOTP step-up elevation for admin commands #980), and the _enable_dependency_map fixture authenticates but never performs the elevation step (/admin/elevate -> /auth/elevate-form). An authenticated, unelevated session is bounced.
  4. Secondary defect: the file-local _fetch_csrf (line ~277) calls page.raise_for_status(), so a 303 throws instead of returning "". This defeats the ... or login_csrf fallback the author wrote at the call site — the fallback can never run.

Why it surfaced now (NOT a regression)

This is the FIRST full-regression execution to reach Phase 6. On v11.27.0 the e2e run failed at Phase 3 (temporal log-audit gate, 10 WARNINGs) and halted before Phases 4-6. Fixing #1321 unblocked Phase 3, so Phases 4-5-6 ran for the first time and exposed this pre-existing Phase-6 fixture gap. It is unrelated to the v11.28.0 changes (#1321 temporal-query provider resolution, #1322 langfuse test) — neither touches /admin/config, sessions, CSRF, elevation, or PG coordination.

Fix Direction

Make _enable_dependency_map perform TOTP step-up elevation before hitting /admin/config (mirror whatever pattern other elevation-requiring e2e/web tests use; if the e2e admin has no MFA configured, provision TOTP in the fixture first via the setup flow). Independently, harden the local _fetch_csrf to not raise_for_status() on 3xx (return "" on redirect) so the intended or login_csrf fallback is actually reachable. Reproduce with ./e2e-automation.sh --phase 6.

Severity

priority-3. Pre-existing e2e test-fixture gap in Phase 6 PG-parity; blocks 2 of ~13 Phase-6 tests. No product impact (the elevation gate is working as designed; the test simply doesn't elevate).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions